Exam Professional Cloud Architect topic 1 question 120 discussion

According to my understanding the requirement is that only VM1 shall be able to communicate with VM2 and VM3, but not VM2 with VM3. We can exclude d) as d) would enable VM2 to communicate with VM3 as well - my assumption is, that if the quizzer wanted that d) is the correct answer, he would make just 2 peerings - 1x between VM1 and VM2 and 1x between VM1 and VM3 repectively the VPCs. We can exclude c) as well - there is no connection between VPC1 and VPC3. IMHO a) will not work. So the only correct answer seems to be b) - what I don't understand is why we have to update the firewall rules as IMHO the default firewall rules enable such communication (maybe some restrictive rules are implemented - not enough details in the question to clarify that part). Please correct me if I am wrong.

Answer is B

Direct Connectivity: Adding multiple NICs to Instance #1 allows it to be part of multiple VPCs directly. This configuration enables direct communication with Instance #2 and Instance #3 via internal IPs without requiring additional routing configurations. Simplicity: This approach is straightforward and avoids the complexity of setting up VPC peering or VPN tunnels. It ensures that only Instance #1 has access to both VPC #2 and VPC #3, maintaining the separation of the other VPCs.

VPC peering will allow access to instance 2 & 3 from 1 with internal IP, with necessary firewall rules added.

B for sure

Option B allows you to add additional NICs to Instance #1, each connected to a different VPC, facilitating direct communication between Instance #1 and the other instances while maintaining separate subnets.

B is wrong. NIC can only be configured while creating the instance. Here the instance is already created. C is correct answer. Refer limitation in this link: https://cloud.google.com/vpc/docs/create-use-multiple-interfaces

Router, VPN and VPC Peering for all 3 network is not required. Only option B solves the given scenario.

All answers are incorrect: subnets do not overlap and must remain separated. => can't choose A or C or D. Which leaves us with A: you can't attach nics to a compute engine instance after creation : see: https://cloud.google.com/vpc/docs/create-use-multiple-interfaces

Is D the correct, peering with adeguate forewall rule for only communication of Instance 1 with Instance 2 and 3

I vote for B: VPC peering does not support "cascading". Peer VPC 1 with VPC 2, and VPC 2 with VPC 3 does not allow traffic from VPC 1 to VPC 3.

B: NIC usecase when an individual instance needs access to more than one VPC network, but you don't want to connect both networks directly https://cloud.google.com/vpc/docs/multiple-interfaces-concepts

B is the correct answer, Connect the VPC1 instance to VPC2 instance with NIC1 and Connect VPC1 instance to VPC3 instance with NIC2. And update firewall rules to enable traffic between them. https://cloud.google.com/vpc/docs/multiple-interfaces-concepts#firewall_rules_and_multiple_network_interfaces

best practice is to add NIC to first instance

Only solution is peering. N1 peering to n3 and n3 to n1 makes all network peered. So answer should be D

B would be incorrect --> As without VPC peering or VPN it will not come into Play. D --> This is good as once VPN is established from 1 --> 2 and from 2 --> 3 ... data can flow from 1 to 3 via 2 ...

B is ok. C&D are wrong because they connect 1 to 2 and 2 to 3 , not 1 to3. 2 and 3 must be unreachable